easy-devops 0.1.5 → 0.1.7

package/cli/managers/ssl-manager.js

@@ -1,10 +1,10 @@
 /**
  * cli/managers/ssl-manager.js
  *
- * SSL Manager — view certificate status, renew certificates, install certbot.
+ * SSL Manager — view certificate status, renew certificates, install certbot/win-acme.
  *
  * Exported functions:
- *   - showSslManager() — interactive menu for managing SSL certificates
+ * - showSslManager() — interactive menu for managing SSL certificates
  *
  * All shell calls go through core/shell.js (run / runLive).
  * Platform differences (Windows/Linux) are handled via isWindows guards.
@@ -52,13 +52,11 @@ async function parseCertExpiry(certPath) {
   }
 }
 
-// ─── getCertbotExe ────────────────────────────────────────────────────────────
-// Returns the certbot command to use, or null if not installed.
-// On Windows, checks PATH first, then the well-known install location used by
-// the official EFF winget package (EFF.Certbot).
-// Always returns a PS-safe invocation string (& "..." for full paths).
+// ─── ACME Client Detection ────────────────────────────────────────────────────
+// Supports both certbot and win-acme on Windows
 
 const CERTBOT_WIN_EXE = 'C:\\Program Files\\Certbot\\bin\\certbot.exe';
+const WINACME_EXE = 'C:\\Program Files\\win-acme\\wacs.exe';
 
 async function getCertbotExe() {
   if (!isWindows) {
@@ -66,19 +64,30 @@ async function getCertbotExe() {
     return (r.exitCode === 0 && r.stdout.trim()) ? 'certbot' : null;
   }
 
-  // 1. On PATH?
+  // 1. certbot on PATH?
   const pathResult = await run('where.exe certbot');
   if (pathResult.exitCode === 0 && pathResult.stdout.trim()) {
     return 'certbot';
   }
 
-  // 2. Well-known install location (winget / official EFF installer)
+  // 2. certbot well-known location
   const exeCheck = await run(`Test-Path "${CERTBOT_WIN_EXE}"`);
   if (exeCheck.stdout.trim().toLowerCase() === 'true') {
-    // Must use & "..." in PowerShell to invoke a path with spaces
     return `& "${CERTBOT_WIN_EXE}"`;
   }
 
+  // 3. win-acme on PATH?
+  const wacsPathResult = await run('where.exe wacs');
+  if (wacsPathResult.exitCode === 0 && wacsPathResult.stdout.trim()) {
+    return 'wacs';
+  }
+
+  // 4. win-acme well-known location
+  const wacsCheck = await run(`Test-Path "${WINACME_EXE}"`);
+  if (wacsCheck.stdout.trim().toLowerCase() === 'true') {
+    return `& "${WINACME_EXE}"`;
+  }
+
   return null;
 }
 
@@ -86,6 +95,13 @@ async function isCertbotInstalled() {
   return (await getCertbotExe()) !== null;
 }
 
+async function getAcmeClientType() {
+  const exe = await getCertbotExe();
+  if (!exe) return null;
+  if (exe.includes('wacs')) return 'winacme';
+  return 'certbot';
+}
+
 // ─── isPort80Busy ─────────────────────────────────────────────────────────────
 
 async function isPort80Busy() {
@@ -165,7 +181,7 @@ function renderCertRow(cert) {
   const domainPadded = cert.domain.padEnd(35);
 
   if (cert.status === 'error') {
-    console.log(`  ${chalk.gray('❌')} ${chalk.gray(domainPadded)} ${chalk.gray('ERROR')}`);
+    console.log(` ${chalk.gray('❌')} ${chalk.gray(domainPadded)} ${chalk.gray('ERROR')}`);
     return;
   }
 
@@ -175,11 +191,11 @@ function renderCertRow(cert) {
   const daysStr = cert.daysLeft !== null ? `${cert.daysLeft}d` : '—';
 
   if (cert.status === 'healthy') {
-    console.log(`  ${chalk.green('✅')} ${chalk.green(domainPadded)} ${chalk.green(daysStr.padEnd(6))} ${chalk.green(`(${expiryStr})`)}`);
+    console.log(` ${chalk.green('✅')} ${chalk.green(domainPadded)} ${chalk.green(daysStr.padEnd(6))} ${chalk.green(`(${expiryStr})`)}`);
   } else if (cert.status === 'expiring') {
-    console.log(`  ${chalk.yellow('⚠️')}  ${chalk.yellow(domainPadded)} ${chalk.yellow(daysStr.padEnd(6))} ${chalk.yellow(`(${expiryStr})`)}`);
+    console.log(` ${chalk.yellow('⚠️')} ${chalk.yellow(domainPadded)} ${chalk.yellow(daysStr.padEnd(6))} ${chalk.yellow(`(${expiryStr})`)}`);
   } else {
-    console.log(`  ${chalk.red('❌')} ${chalk.red(domainPadded)} ${chalk.red(daysStr.padEnd(6))} ${chalk.red(`(${expiryStr})`)}`);
+    console.log(` ${chalk.red('❌')} ${chalk.red(domainPadded)} ${chalk.red(daysStr.padEnd(6))} ${chalk.red(`(${expiryStr})`)}`);
   }
 }
 
@@ -188,24 +204,33 @@ function renderCertRow(cert) {
 async function renewCert(domain) {
   const certbotExe = await getCertbotExe();
   if (!certbotExe) {
-    console.log(chalk.red('\n  certbot not found — install it first\n'));
+    console.log(chalk.red('\n certbot/win-acme not found — install it first\n'));
     return { domain, success: false, exitCode: null };
   }
 
+  const clientType = await getAcmeClientType();
+
   await stopNginx();
 
   try {
     const portCheck = await isPort80Busy();
     if (portCheck.busy) {
-      console.log(chalk.yellow(`\n  ⚠ Port 80 is in use: ${portCheck.detail}`));
-      console.log(chalk.yellow('  Stop that process before renewing.\n'));
+      console.log(chalk.yellow(`\n ⚠ Port 80 is in use: ${portCheck.detail}`));
+      console.log(chalk.yellow(' Stop that process before renewing.\n'));
       return { domain, success: false, exitCode: null };
     }
 
-    const exitCode = await runLive(
-      `${certbotExe} certonly --standalone -d "${domain}"`,
-      { timeout: 120000 },
-    );
+    let cmd;
+    if (clientType === 'winacme') {
+      // win-acme interactive mode - needs manual input
+      console.log(chalk.cyan('\n win-acme will open. Follow the prompts to renew the certificate.'));
+      console.log(chalk.cyan(' Select: N) Create new certificate → 2) Manual input → enter domain\n'));
+      cmd = certbotExe;
+    } else {
+      cmd = `${certbotExe} certonly --standalone -d "${domain}"`;
+    }
+
+    const exitCode = await runLive(cmd, { timeout: 120000 });
     return { domain, success: exitCode === 0, exitCode };
   } finally {
     await startNginx();
@@ -221,15 +246,21 @@ async function renewExpiring(certs) {
   const certbotExe = await getCertbotExe();
   if (!certbotExe) return [];
 
+  const clientType = await getAcmeClientType();
+
   await stopNginx();
 
   const results = [];
   try {
     for (const cert of expiring) {
-      const exitCode = await runLive(
-        `${certbotExe} certonly --standalone -d "${cert.domain}"`,
-        { timeout: 120000 },
-      );
+      let cmd;
+      if (clientType === 'winacme') {
+        console.log(chalk.cyan(`\n Renewing ${cert.domain} with win-acme - follow the prompts\n`));
+        cmd = certbotExe;
+      } else {
+        cmd = `${certbotExe} certonly --standalone -d "${cert.domain}"`;
+      }
+      const exitCode = await runLive(cmd, { timeout: 120000 });
       results.push({ domain: cert.domain, success: exitCode === 0, exitCode });
     }
   } finally {
@@ -249,7 +280,6 @@ async function installCertbot() {
 
   // ── Shared helpers ────────────────────────────────────────────────────────────
 
-  // Check multiple possible certbot locations — some methods install to different paths
   async function verifyCertbot() {
     const whereResult = await run('where.exe certbot 2>$null');
     if (whereResult.success && whereResult.stdout.trim()) return true;
@@ -265,90 +295,245 @@ async function installCertbot() {
     return false;
   }
 
-  // Download a file trying Invoke-WebRequest (TLS 1.2 forced) then curl.exe
+  async function verifyWinAcme() {
+    const paths = [
+      WINACME_EXE,
+      'C:\\Program Files (x86)\\win-acme\\wacs.exe',
+      'C:\\win-acme\\wacs.exe',
+    ];
+    for (const p of paths) {
+      const r = await run(`Test-Path '${p}'`);
+      if (r.stdout.trim().toLowerCase() === 'true') return true;
+    }
+    const whereResult = await run('where.exe wacs 2>$null');
+    return whereResult.success && whereResult.stdout.trim();
+  }
+
   const hasCurl = (await run('where.exe curl.exe 2>$null')).success;
+
   async function downloadFile(url, dest) {
-    const iwr = await run(
-      `[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $ProgressPreference='SilentlyContinue'; Invoke-WebRequest -Uri '${url}' -OutFile '${dest}' -UseBasicParsing -TimeoutSec 120`,
+    const safeUrl = url.replace(/'/g, "''");
+    const safeDest = dest.replace(/'/g, "''");
+
+    // Method 1: Invoke-WebRequest with TLS 1.2
+    let r = await run(
+      `[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $ProgressPreference='SilentlyContinue'; Invoke-WebRequest -Uri '${safeUrl}' -OutFile '${safeDest}' -UseBasicParsing -TimeoutSec 120`,
+      { timeout: 130000 },
+    );
+    if (r.success) return true;
+
+    // Method 2: WebClient
+    r = await run(
+      `[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object System.Net.WebClient).DownloadFile('${safeUrl}','${safeDest}')`,
       { timeout: 130000 },
     );
-    if (iwr.success) return true;
+    if (r.success) return true;
+
+    // Method 3: BITS
+    r = await run(
+      `Import-Module BitsTransfer -ErrorAction SilentlyContinue; Start-BitsTransfer -Source '${safeUrl}' -Destination '${safeDest}' -ErrorAction Stop`,
+      { timeout: 130000 },
+    );
+    if (r.success) return true;
+
+    // Method 4: curl.exe
     if (hasCurl) {
-      const curl = await run(`curl.exe -L --silent --show-error --max-time 120 -o '${dest}' '${url}'`, { timeout: 130000 });
-      if (curl.success) return true;
+      r = await run(
+        `curl.exe -L --ssl-no-revoke --silent --show-error --max-time 120 -o '${safeDest}' '${safeUrl}'`,
+        { timeout: 130000 },
+      );
+      if (r.success) return true;
     }
+
+    // Method 5: HttpClient
+    r = await run(
+      `[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $hc=[System.Net.Http.HttpClient]::new(); $hc.DefaultRequestHeaders.Add('User-Agent','Mozilla/5.0'); $hc.Timeout=[TimeSpan]::FromSeconds(120); $bytes=$hc.GetByteArrayAsync('${safeUrl}').GetAwaiter().GetResult(); [System.IO.File]::WriteAllBytes('${safeDest}',$bytes)`,
+      { timeout: 130000 },
+    );
+    if (r.success) return true;
+
     return false;
   }
 
-  // ── Method 1: winget ──────────────────────────────────────────────────────────
-  const wingetCheck = await run('where.exe winget 2>$null');
-  if (wingetCheck.success && wingetCheck.stdout.trim()) {
-    console.log(chalk.gray('\n  [1/4] Trying winget ...\n'));
+  async function runNsisInstaller(exePath) {
+    await run(
+      `$p = Start-Process -FilePath '${exePath}' -ArgumentList '/S' -PassThru -Wait; $p.ExitCode`,
+      { timeout: 120000 },
+    );
+    await new Promise(res => setTimeout(res, 4000));
+    return verifyCertbot();
+  }
+
+  let methodNum = 0;
+  function step(label) {
+    methodNum++;
+    console.log(chalk.gray(`\n [${methodNum}] ${label}\n`));
+  }
+
+  // ── Method 1: winget (win-acme - has better success rate) ─────────────────────
+  if ((await run('where.exe winget 2>$null')).success) {
+    step('Trying winget (win-acme) ...');
+    const exitCode = await runLive(
+      'winget install -e --id win-acme.win-acme --accept-package-agreements --accept-source-agreements',
+      { timeout: 180000 },
+    );
+    if (exitCode === 0 || await verifyWinAcme()) return { success: true, client: 'winacme' };
+    console.log(chalk.yellow(' winget win-acme failed, trying next...\n'));
+  }
+
+  // ── Method 2: winget (certbot EFF) ────────────────────────────────────────────
+  if ((await run('where.exe winget 2>$null')).success) {
+    step('Trying winget (EFF.Certbot) ...');
     const exitCode = await runLive(
       'winget install -e --id EFF.Certbot --accept-package-agreements --accept-source-agreements',
       { timeout: 180000 },
     );
     if (exitCode === 0 || await verifyCertbot()) return { success: true };
-    console.log(chalk.yellow('  winget did not install certbot, trying next method...\n'));
+    console.log(chalk.yellow(' winget certbot failed, trying next...\n'));
   }
 
-  // ── Method 2: Chocolatey ──────────────────────────────────────────────────────
-  const chocoCheck = await run('where.exe choco 2>$null');
-  if (chocoCheck.success && chocoCheck.stdout.trim()) {
-    console.log(chalk.gray('\n  [2/4] Trying Chocolatey ...\n'));
+  // ── Method 3: Chocolatey (win-acme) ───────────────────────────────────────────
+  if ((await run('where.exe choco 2>$null')).success) {
+    step('Trying Chocolatey (win-acme) ...');
+    const exitCode = await runLive('choco install win-acme -y', { timeout: 180000 });
+    if (exitCode === 0 || await verifyWinAcme()) return { success: true, client: 'winacme' };
+    console.log(chalk.yellow(' Chocolatey win-acme failed, trying next...\n'));
+  }
+
+  // ── Method 4: Chocolatey (certbot) ────────────────────────────────────────────
+  if ((await run('where.exe choco 2>$null')).success) {
+    step('Trying Chocolatey (certbot) ...');
     const exitCode = await runLive('choco install certbot -y', { timeout: 180000 });
     if (exitCode === 0 || await verifyCertbot()) return { success: true };
-    console.log(chalk.yellow('  Chocolatey did not install certbot, trying next method...\n'));
+    console.log(chalk.yellow(' Chocolatey certbot failed, trying next...\n'));
+  }
+
+  // ── Method 5: pip (certbot) ───────────────────────────────────────────────────
+  for (const pip of ['pip', 'pip3']) {
+    const check = await run(`where.exe ${pip} 2>$null`);
+    if (check.success && check.stdout.trim()) {
+      step(`Trying ${pip} install certbot ...`);
+      const exitCode = await runLive(`${pip} install certbot`, { timeout: 180000 });
+      if (exitCode === 0 || await verifyCertbot()) return { success: true };
+      console.log(chalk.yellow(` ${pip} did not install certbot, trying next...\n`));
+      break;
+    }
+  }
+
+  // ── Method 6: Scoop (win-acme) ────────────────────────────────────────────────
+  if ((await run('where.exe scoop 2>$null')).success) {
+    step('Trying Scoop (win-acme) ...');
+    await runLive('scoop bucket add extras', { timeout: 60000 });
+    const exitCode = await runLive('scoop install win-acme', { timeout: 180000 });
+    if (exitCode === 0 || await verifyWinAcme()) return { success: true, client: 'winacme' };
+    console.log(chalk.yellow(' Scoop win-acme failed, trying next...\n'));
+  }
+
+  // ── Method 7: Direct download win-acme (ZIP - smaller, no installer) ──────────
+  const WINACME_DEST = 'C:\\Program Files\\win-acme';
+
+  step('Downloading win-acme from GitHub ...');
+  const winAcmeUrls = [
+    'https://github.com/win-acme/win-acme/releases/latest/download/win-acme.zip',
+    'https://github.com/win-acme/win-acme/releases/download/v2.2.9.1/win-acme.v2.2.9.1.zip',
+  ];
+
+  for (const url of winAcmeUrls) {
+    const hostname = new URL(url).hostname;
+    console.log(chalk.gray(` Downloading from ${hostname} ...`));
+
+    const zipDest = `$env:TEMP\\win-acme.zip`;
+    if (await downloadFile(url, zipDest)) {
+      console.log(chalk.gray(' Extracting win-acme ...\n'));
+      await run(`New-Item -ItemType Directory -Force -Path '${WINACME_DEST}'`);
+      await run(`Expand-Archive -Path '${zipDest}' -DestinationPath '${WINACME_DEST}' -Force`);
+      await run(`Remove-Item -Force '${zipDest}' -ErrorAction SilentlyContinue`);
+
+      if (await verifyWinAcme()) {
+        console.log(chalk.green(` win-acme installed to ${WINACME_DEST}\n`));
+        return { success: true, client: 'winacme' };
+      }
+      console.log(chalk.yellow(' Extraction succeeded but verification failed, trying next...\n'));
+    } else {
+      console.log(chalk.yellow(` Could not download from ${hostname}`));
+    }
   }
 
-  // ── Method 3: Official NSIS installer (GitHub → dl.eff.org) ──────────────────
+  // ── Method 8: Direct download certbot installer ────────────────────────────────
   const INSTALLER_FILENAME = 'certbot-beta-installer-win_amd64_signed.exe';
-  const INSTALLER_DEST     = `$env:TEMP\\${INSTALLER_FILENAME}`;
-  const downloadSources = [
-    `https://github.com/certbot/certbot/releases/latest/download/${INSTALLER_FILENAME}`,
+  const INSTALLER_DEST = `$env:TEMP\\${INSTALLER_FILENAME}`;
+  const certbotUrls = [
     `https://dl.eff.org/${INSTALLER_FILENAME}`,
+    `https://github.com/certbot/certbot/releases/latest/download/${INSTALLER_FILENAME}`,
   ];
 
-  let downloaded = false;
-  for (const url of downloadSources) {
-    const label = new URL(url).hostname;
-    console.log(chalk.gray(`\n  [3/4] Downloading certbot installer from ${label} ...\n`));
-    if (await downloadFile(url, INSTALLER_DEST)) { downloaded = true; break; }
-    console.log(chalk.yellow(`  Failed from ${label}`));
-  }
+  for (const url of certbotUrls) {
+    const hostname = new URL(url).hostname;
+    step(`Downloading certbot installer from ${hostname} ...`);
 
-  if (downloaded) {
-    console.log(chalk.gray('  Running installer silently ...\n'));
-    // Use Start-Process -PassThru -Wait so PowerShell waits for the NSIS process to fully exit
-    await run(
-      `$p = Start-Process -FilePath "${INSTALLER_DEST}" -ArgumentList '/S' -PassThru -Wait; $p.ExitCode`,
-      { timeout: 120000 },
-    );
-    await run(`Remove-Item -Force "${INSTALLER_DEST}" -ErrorAction SilentlyContinue`);
-    // Allow a few seconds for the installer to finish writing files
-    await new Promise(r => setTimeout(r, 4000));
-    if (await verifyCertbot()) return { success: true };
-    console.log(chalk.yellow('  Installer ran but certbot not found, trying pip...\n'));
+    if (await downloadFile(url, INSTALLER_DEST)) {
+      console.log(chalk.gray(' Running installer silently ...\n'));
+      const ok = await runNsisInstaller(INSTALLER_DEST);
+      await run(`Remove-Item -Force '${INSTALLER_DEST}' -ErrorAction SilentlyContinue`);
+      if (ok) return { success: true };
+      console.log(chalk.yellow(' Installer ran but certbot not detected, trying next...\n'));
+    } else {
+      console.log(chalk.yellow(` Could not download from ${hostname}`));
+    }
   }
 
-  // ── Method 4: pip (Python must be installed) ──────────────────────────────────
-  const pipCheck = await run('where.exe pip 2>$null');
-  if (pipCheck.success && pipCheck.stdout.trim()) {
-    console.log(chalk.gray('\n  [4/4] Trying pip install certbot ...\n'));
-    const exitCode = await runLive('pip install certbot', { timeout: 180000 });
-    if (exitCode === 0 || await verifyCertbot()) return { success: true };
-  } else {
-    // try pip3 as well
-    const pip3Check = await run('where.exe pip3 2>$null');
-    if (pip3Check.success && pip3Check.stdout.trim()) {
-      console.log(chalk.gray('\n  [4/4] Trying pip3 install certbot ...\n'));
-      const exitCode = await runLive('pip3 install certbot', { timeout: 180000 });
-      if (exitCode === 0 || await verifyCertbot()) return { success: true };
+  // ── Method 9: Manual installer path ───────────────────────────────────────────
+  console.log(chalk.yellow('\n All automatic methods failed.'));
+  console.log(chalk.gray(' You can manually download one of these on another PC:'));
+  console.log(chalk.gray('   • certbot:  https://certbot.eff.org/instructions?ws=other&os=windows'));
+  console.log(chalk.gray('   • win-acme: https://github.com/win-acme/win-acme/releases'));
+  console.log(chalk.gray(' Then transfer to this server and use "Specify local installer" below.\n'));
+
+  let localChoice;
+  try {
+    ({ localChoice } = await inquirer.prompt([{
+      type: 'list',
+      name: 'localChoice',
+      message: 'What would you like to do?',
+      choices: ['Specify local installer path', 'Cancel'],
+    }]));
+  } catch { return { success: false }; }
+
+  if (localChoice === 'Specify local installer path') {
+    let localPath;
+    try {
+      ({ localPath } = await inquirer.prompt([{
+        type: 'input',
+        name: 'localPath',
+        message: 'Full path to installer (.exe or .zip):',
+        validate: v => v.trim().length > 0 || 'Required',
+      }]));
+    } catch { return { success: false }; }
+
+    const exists = await run(`Test-Path '${localPath.trim()}'`);
+    if (exists.stdout.trim().toLowerCase() !== 'true') {
+      console.log(chalk.red(` File not found: ${localPath}\n`));
+      return { success: false };
+    }
+
+    const ext = path.extname(localPath.trim().toLowerCase());
+
+    if (ext === '.zip') {
+      step('Extracting ZIP archive ...');
+      await run(`New-Item -ItemType Directory -Force -Path '${WINACME_DEST}'`);
+      await run(`Expand-Archive -Path '${localPath.trim()}' -DestinationPath '${WINACME_DEST}' -Force`);
+      if (await verifyWinAcme()) {
+        return { success: true, client: 'winacme' };
+      }
+      console.log(chalk.red(' Extraction succeeded but win-acme not found.\n'));
+    } else {
+      step('Running installer silently ...');
+      const ok = await runNsisInstaller(localPath.trim());
+      if (ok) return { success: true };
+      console.log(chalk.red(' Installer ran but certbot was not detected.\n'));
     }
   }
 
-  // All methods exhausted
-  console.log(chalk.gray('\n  Manual install: https://certbot.eff.org/instructions?ws=other&os=windows\n'));
   return { success: false };
 }
 
@@ -362,11 +547,11 @@ export async function showSslManager() {
     const certs = await listCerts(liveDir);
     spinner.stop();
 
-    console.log(chalk.bold('\n  SSL Manager'));
-    console.log(chalk.gray('  ' + '─'.repeat(40)));
+    console.log(chalk.bold('\n SSL Manager'));
+    console.log(chalk.gray(' ' + '─'.repeat(40)));
 
     if (certs.length === 0) {
-      console.log(chalk.gray('  No certificates found'));
+      console.log(chalk.gray(' No certificates found'));
     } else {
       for (const cert of certs) {
         renderCertRow(cert);
@@ -399,12 +584,12 @@ export async function showSslManager() {
       case 'Renew a certificate': {
         const installed = await isCertbotInstalled();
         if (!installed) {
-          console.log(chalk.yellow('\n  ⚠ certbot not found — select "Install certbot" first\n'));
+          console.log(chalk.yellow('\n ⚠ certbot/win-acme not found — select "Install certbot" first\n'));
           break;
         }
 
         if (certs.length === 0) {
-          console.log(chalk.gray('\n  No certificates found to renew\n'));
+          console.log(chalk.gray('\n No certificates found to renew\n'));
           break;
         }
 
@@ -423,9 +608,9 @@ export async function showSslManager() {
 
         const renewResult = await renewCert(selectedDomain);
         if (renewResult.success) {
-          console.log(chalk.green('\n  ✓ Renewed successfully\n'));
+          console.log(chalk.green('\n ✓ Renewed successfully\n'));
         } else {
-          console.log(chalk.red('\n  ✗ Renewal failed — see output above\n'));
+          console.log(chalk.red('\n ✗ Renewal failed — see output above\n'));
         }
         break;
       }
@@ -433,20 +618,20 @@ export async function showSslManager() {
       case 'Renew all expiring (< 30 days)': {
         const installed = await isCertbotInstalled();
         if (!installed) {
-          console.log(chalk.yellow('\n  ⚠ certbot not found — select "Install certbot" first\n'));
+          console.log(chalk.yellow('\n ⚠ certbot/win-acme not found — select "Install certbot" first\n'));
           break;
         }
 
         const results = await renewExpiring(certs);
         if (results.length === 0) {
-          console.log(chalk.gray('\n  No certificates expiring within 30 days\n'));
+          console.log(chalk.gray('\n No certificates expiring within 30 days\n'));
         } else {
           console.log();
           for (const r of results) {
             if (r.success) {
-              console.log(`  ${chalk.green('✓ ' + r.domain)}`);
+              console.log(` ${chalk.green('✓ ' + r.domain)}`);
             } else {
-              console.log(`  ${chalk.red('✗ ' + r.domain)}`);
+              console.log(` ${chalk.red('✗ ' + r.domain)}`);
             }
           }
           console.log();
@@ -457,15 +642,17 @@ export async function showSslManager() {
       case 'Install certbot': {
         const alreadyInstalled = await isCertbotInstalled();
         if (alreadyInstalled) {
-          console.log(chalk.gray('\n  certbot is already installed\n'));
+          const clientType = await getAcmeClientType();
+          console.log(chalk.gray(`\n ${clientType === 'winacme' ? 'win-acme' : 'certbot'} is already installed\n`));
           break;
         }
 
         const installResult = await installCertbot();
         if (installResult.success) {
-          console.log(chalk.green('\n  ✓ certbot installed successfully\n'));
+          const clientName = installResult.client === 'winacme' ? 'win-acme' : 'certbot';
+          console.log(chalk.green(`\n ✓ ${clientName} installed successfully\n`));
         } else {
-          console.log(chalk.red('\n  ✗ Installation failed\n'));
+          console.log(chalk.red('\n ✗ Installation failed\n'));
         }
         break;
       }

package/cli/menus/update.js

@@ -21,7 +21,7 @@ import path from 'path';
 import { fileURLToPath } from 'url';
 import { createRequire } from 'module';
 import { run } from '../../core/shell.js';
-import { dbGet, dbSet, closeDb } from '../../core/db.js';
+import { dbGet, dbSet, closeDb, initDb } from '../../core/db.js';
 import { loadConfig } from '../../core/config.js';
 import { getDashboardStatus, startDashboard, stopDashboard } from './dashboard.js';
 
@@ -108,6 +108,9 @@ async function performUpdate(latestVersion) {
 
   sp.succeed(`Updated to v${latestVersion}`);
 
+  // Re-initialize the database connection after npm replaced the module
+  initDb();
+
   // Step 5 — restart dashboard if it was running before
   const saved = dbGet('update-pre-dashboard');
   dbSet('update-pre-dashboard', null);

package/core/db.js

@@ -16,8 +16,13 @@ try {
 }
 
 let db;
+
+function createDbConnection() {
+  return new GoodDB(new SQLiteDriver({ path: DB_PATH }));
+}
+
 try {
-  db = new GoodDB(new SQLiteDriver({ path: DB_PATH }));
+  db = createDbConnection();
 } catch (err) {
   process.stderr.write(`[ERROR] Failed to initialize database at: ${DB_PATH}\n`);
   process.stderr.write(`Hint: Check that the current user has write access to: ${DATA_DIR}\n`);
@@ -39,3 +44,17 @@ export function closeDb() {
     db.driver?.db?.close?.();
   } catch { /* ignore */ }
 }
+
+/**
+ * Reinitializes the database connection after it was closed.
+ * Call this after closeDb() when you need to use the database again.
+ */
+export function initDb() {
+  try {
+    // Check if connection is still open
+    db.driver?.db?.prepare('SELECT 1');
+  } catch {
+    // Connection is closed, create a new one
+    db = createDbConnection();
+  }
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "easy-devops",
-  "version": "0.1.5",
+  "version": "0.1.7",
   "description": "A unified DevOps management tool with CLI and web dashboard for managing Nginx, SSL certificates, and Node.js on Linux and Windows servers.",
   "keywords": [
     "devops",